NAME
    gcloud alpha iam workforce-pools create-cred-config - create a
        configuration file for generated credentials

SYNOPSIS
    gcloud alpha iam workforce-pools create-cred-config AUDIENCE
        --output-file=OUTPUT_FILE
        --workforce-pool-user-project=WORKFORCE_POOL_USER_PROJECT
        (--credential-source-file=CREDENTIAL_SOURCE_FILE
          | --credential-source-url=CREDENTIAL_SOURCE_URL
          | --executable-command=EXECUTABLE_COMMAND)
        [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME]
        [--credential-source-headers=[key=value,...]]
        [--credential-source-type=CREDENTIAL_SOURCE_TYPE]
        [--subject-token-type=SUBJECT_TOKEN_TYPE]
        [--executable-interactive-timeout-millis=EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS --executable-output-file=EXECUTABLE_OUTPUT_FILE --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS]
        [--service-account=SERVICE_ACCOUNT
          : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) This command creates a configuration file to allow access to
    authenticated Google Cloud actions from a variety of external user
    accounts.

EXAMPLES
    To create a file-sourced credential configuration for your project, run:

        $ gcloud alpha iam workforce-pools create-cred-config \
            locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\
        $PROVIDER_ID --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \
            --workforce-pool-user-project=$PROJECT_NUMBER \
            --output-file=credentials.json

    To create a URL-sourced credential configuration for your project, run:

        $ gcloud alpha iam workforce-pools create-cred-config \
            locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\
        $PROVIDER_ID --credential-source-url=$URL_FOR_OIDC_TOKEN \
            --credential-source-headers=Key=Value \
            --workforce-pool-user-project=$PROJECT_NUMBER \
            --output-file=credentials.json

    To create an executable-source credential configuration for your project,
    run the following command:

        $ gcloud alpha iam workforce-pools create-cred-config \
            locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\
        $PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND \
            --executable-timeout-millis=30000 \
            --executable-output-file=$CACHE_FILE \
            --workforce-pool-user-project=$PROJECT_NUMBER \
            --output-file=credentials.json

    To use the resulting file for any of these commands, set the
    GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the
    generated file.

POSITIONAL ARGUMENTS
     AUDIENCE
        The workforce pool provider resource name.

REQUIRED FLAGS
     --output-file=OUTPUT_FILE
        Location to store the generated credential configuration file.

     --workforce-pool-user-project=WORKFORCE_POOL_USER_PROJECT
        The client project number used to identify the application (client
        project) to the server when calling Google APIs. The user principal
        must have serviceusage.services.use IAM permission to use the specified
        project.

     Credential types.

     Exactly one of these must be specified:

       --credential-source-file=CREDENTIAL_SOURCE_FILE
          The location of the file which stores the credential.

       --credential-source-url=CREDENTIAL_SOURCE_URL
          The URL to obtain the credential from.

       --executable-command=EXECUTABLE_COMMAND
          The full command to run to retrieve the credential. Must be an
          absolute path for the program including arguments.

OPTIONAL FLAGS
     --credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
        The subject token field name (key) in a JSON credential source.

     --credential-source-headers=[key=value,...]
        Headers to use when querying the credential-source-url.

     --credential-source-type=CREDENTIAL_SOURCE_TYPE
        The format of the credential source (JSON or text).

     --subject-token-type=SUBJECT_TOKEN_TYPE
        The type of token being used for authorization. This defaults to
        urn:ietf:params:oauth:token-type:id_token.

     Arguments for an executable type credential source.

       --executable-interactive-timeout-millis=EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS
          The timeout duration, in milliseconds, to wait for the executable to
          finish when the command is running in interactive mode.

       --executable-output-file=EXECUTABLE_OUTPUT_FILE
          The absolute path to the file storing the executable response.

       --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
          The timeout duration in milliseconds for waiting for the executable
          to finish.

     Service account impersonation options.

       --service-account=SERVICE_ACCOUNT
          The email of the service account to impersonate.

          This flag argument must be specified if any of the other arguments in
          this group are specified.

       --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
          The desired lifetime duration of the service account access token in
          seconds. This defaults to one hour when not provided. If a lifetime
          greater than one hour is required, the service account must be added
          as an allowed value in an Organization Policy that enforces the
          constraints/iam.allowServiceAccountCredentialLifetimeExtension
          constraint.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. These variants are also available:

        $ gcloud iam workforce-pools create-cred-config

        $ gcloud beta iam workforce-pools create-cred-config

